Attacks on ssh port
Alex de Kruijff
freebsd at akruijff.dds.nl
Fri Sep 24 14:49:20 PDT 2004
On Sat, Sep 18, 2004 at 01:30:22PM -0400, David D.W. Downey wrote:
> On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw at withagen.nl> wrote:
> > Hi,
> >
> > Is there a security problem with ssh that I've missed???
> > Ik keep getting these hords of:
> > Failed password for root from 69.242.5.195 port 39239 ssh2
> > with all kinds of different source addresses.
> >
> > They have a shot or 15 and then they are of again, but a little later on
> > they're back and keep clogging my logs.
> > Is there a "easy" way of getting these ip-numbers added to the
> > blocking-list of ipfw??
> >
> > Thanx,
> > --WjW
>
> well you want to see those. So long as you have
>
> PermitRootLogin no
>
> in your /etc/ssh/sshd_config, they won't be able to get in since ssh
> is then denied for root (except via a valid ssh key which you can
> further lock down by adding
No ssh key's are also denied. To enable this you have to set
PermitRootLogin to 'without-password' or 'forced-commands-only' (or
yes).
> from="ip.addr, forward.dns.record.of.host"
>
> to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys)
>
> A better solution to the verbosity level would probably be to change
> your kernel config to have something like
>
> options IPFIREWALL_VERBOSE_LIMIT=3
>
> or using the sysctl.conf oid
>
> net.inet.ip.fw.verbose_limit=3
>
> Then you can still see the attempts (and thus log the IP information
> for contacting the abuse@ for the responsible IP controller) while
> limiting your log sizes.
This only logs the first tree catches (when the log attribuut is set)
per rule. You may want to set this a little higher like 100.
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/
More information about the freebsd-security
mailing list